Energy utilities face a greater risk of cyber attacks today than ever before. This growing threat has prompted IEEE and other industry standards organizations to examine industry standards relating to equipment and policies that may inadvertently be increasing the vulnerability to attacks in cyberspace or inadvertently preventing the implementation of cyber security technologies. The goal is to provide utilities with the guidance needed to protect their automated transmission and distribution (and power plant) control systems from unauthorized incursions.
Until recently, most utilities and standards organizations had not considered cyber attacks, but their impacts can be potentially devastating in terms of financial and physical damage. An attack in cyber space can take many forms, but the most common involves hackers who gain access to vital operating or business systems through remote access or wireless entry points.
In some cases, the perpetrator may steal or alter critical information relating to the utility’s customer files or the operating indices of equipment. In either situation, the information is proprietary and could be dangerous in the wrong hands. The other type of cyber incursion has even worse consequences. It involves a hacker actually taking control of operating systems and disrupting service to customers or damaging equipment. What makes these attacks more frightening is that they are very difficult to detect, often being blamed on faulty hardware or software.
These and other incursions have taken place in larger number over the past few years although their details have been under-reported in part because there is no methodology for identifying reportable events or a central body within the utility industry to investigate such problems. The underlying issue, however, is vulnerability, and energy utilities have unwittingly left themselves open to cyber attacks by implementing automated control and remote access technologies with numerous entry points and virtually no protection.
This vulnerability is particularly risky now due to the combination of a volatile political situation in the world and a hyper-competitive energy market in a struggling economy. News reports say international terrorists may be targeting our energy infrastructure – a threat not to be ignored. But recent incursions suggest the more immediate threat comes from inside the industry or untended impacts from attacks on the Internet.
The power industry is always competitive, but in today’s difficult economy many security analysts believe heightened competition may drive some individuals to use cyber means to gain information on other utilities’ operations and customer bases. In addition, the down economy has compelled utilities to lay off works and subcontractors, many who have the knowledge to take out frustrations on their former employers in cyberspace. Such disgruntled workers may pose the most significant current threat. Additionally, there is a significant reticence to share vulnerability information or impacts.
For most utilities this threat is new, and they do not know how to protect themselves. To provide some guidance, the IEEE Power Engineering Society (PES) has created a task force to study applicable PES IEEE standards that may contribute to the cyber vulnerability of the power infrastructure.
Once standards that can be impacted by cyber have been identified, IEEE PES will have the appropriate subcommittees look at each one in detail to determine if, and how, the vulnerability may be eliminated. In some cases, new security procedures may be the solution. Others may require the implementation of existing technology, or perhaps the development of entirely new products designed for control system cyber security. Although these and other standards revisions are meant to assist the industry, utilities must take caution to avoid the confusion and false sense of security that will undoubtedly arise as multiple new standards are introduced.
Identifying Vulnerabilities
IEEE and similar organizations worldwide (e.g., ISA- the Instrumentation, Systems, and Automation Society, International Electrotechnical Commission-IEC, International Council on Large Electric Systems- CIGRE, etc) have provided a valuable service to the energy industry worldwide by devising and publishing consensus standards on equipment, training, policy and regulations. Standards in equipment design and operation offer direction for vendors to use in bringing useable and compatible products to market, and provide utilities the specifications required to select and implement the appropriate equipment and procedures. But most of all, these standards ensure that utility equipment is operated and maintained efficiently. This is where the link between standards and cyber vulnerability resides.
In the quest for improved efficiency – the ability to operate less expensively with fewer personnel – utilities in the past decade have enthusiastically embraced automated control such as Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems, and Programmable Logic Controllers with remote access capabilities. Transmission and distribution infrastructure in particular has seen the automation of its operations centers and substations with remote terminal units, intelligent electronic devices and smart meters.
Without question these advanced technologies have enhanced efficiency of utility operations, but they have also provided open entry points for cyber incursions because they are designed – according to standards – for efficiency, not security. In fact, the reason these devices are so efficient is because they are open. They can be operated from almost anywhere and are designed to freely share information with other systems.
The utility industry was historically built with closed systems that were impenetrable by nature, which meant no one in the enterprise had to be concerned with cyber security. Unfortunately, this attitude continued even after open systems were introduced and implemented. And the nonchalance carried over into the development of today’s existing standards for transmission and distribution equipment.
The other factor contributing to the situation is institutional and common to many industries – the chasm between the IT and Operations departments within the utility. IT people are responsible for cyber security and have taken steps to protect their devices. Unfortunately, without an understanding of complex operational systems, IT doesn’t recognize the required reliability and availability of these systems and the impact cyber security mitigation can have on these systems. This aspect of cyber vulnerability is certain to heat up within utilities in the near future as IT personnel begin taking steps they believe will reduce the threat, but with potential negative impact on system operation.
Particularly frightening about the cyber situation is its pervasiveness. A utility is vulnerable if it has automated or integrated key control systems with hardware or software that is web-enabled or accessed by wireless communications. The Internet, an intranet or wireless device is an open door to uninvited entry. A typical automated control system, for example, has a front door through which operations personnel conduct their daily business, a backdoor for used by system administrators, and a side door for vendors. If security exists at all, it can be circumvented by almost any hacker.
Some of the most common and vulnerable entry points into control systems include the following:
Ironically, those utilities that have equipped themselves for better performance through implementation of automated technologies are the ones most at risk. And those without automation now are probably considering it, which means cyber security must be included in their plans. The bottom line is that this issue is relevant to nearly all utilities.
Examining Standards
IEEE has authored hundreds of standards relating to the efficient operation and design of utility equipment. The PES Cyber Security Task Force is focusing on those standards where the vulnerabilities reside – substations, protective relay devices and control centers. These have experienced the lion’s share of automation and integration over the past several years. Standards with no communications or networking requirements are quickly eliminated from further study.
The task force met on July 14, 2003, to begin evaluating standards and requesting the expert assistance of the various IEEE committees responsible for the substation, relay and control center standards. Although the total number of standards that must be altered may not be extensive, the complexity of the situation became immediately apparent to the task force during its initial meeting in January 2002.
As mentioned, many standards were adopted with efficiency in mind. Cyber security was not a consideration. Unfortunately, the reason so many devices, such as SCADA components, operate efficiently is that they have no security. Security measures often reduce efficiency.
Using SCADA as the example, some applications have been created to transmit breaker status data to the control center every 4 milliseconds. While this timing leads to efficient operations, it leaves no extra time for the SCADA to interrogate the data request or examine the authenticity of the data. Essentially, there is no room to build a security measure into the standard operation of the device without negatively impacting its performance. Security comes with a price.
PES will undoubtedly consider many similar trade-offs. It is too early to predict precisely how these revisions will be enacted and at what cost to utilities.
The first changes to standards recommended by IEEE will likely relate to procedures that can be altered to provide a temporary, but by no means fool-proof, enhancement to security. These steps will offer a work-around solution until new technologies with built-in security can be developed, a process that can take years. Procedural solutions can be as simple as routinely changing system access passwords or spelling out exactly who can have access to critical systems and be able to operate remote devices.
The long-term solution for cyber security comes back to technology and corporate culture, which often does not exist for control system infrastructure protection. IT personnel will be quick to suggest building firewalls, but these products are not specifically designed to protect an operations center. Until firewall devices are introduced for control systems, any existing product must be considered a stop-gap measure that offers only partial protection. The same is true for intrusion detection devices, which are currently available but not designed for control system applications.
The new standards ultimately emerging from the IEEE will seek to close entry points and track authorized users through the use of customized firewalls, detection devices and other new technologies. By limiting access to authorized personnel and establishing a pattern of typical use, utilities will more readily prevent cyber intrusions and detect them more quickly when they do occur.
Implementing Standards with Caution
The issue of cyber security is finally beginning to getg the attention it deserves from the power industry, but as a result, utilities can expect multiple new standards in the near future. Therefore, caution must be taken to ensure a utility takes into account all of the standards which apply to it. A case in point is the new NERC cyber security standards (Urgent Standard 1200) published in mid- 2003 and taking effect in first quarter 2004.
To counteract this situation, KEMA Inc., an international utility consulting and technical services firm based in Fairfax, Va., is working with multiple utilities in cooperation with IEEE and other standards organizations to develop security policies specifically designed and adopted for T&D control systems. These independently created policies, coupled with revised IEEE equipment standards, will enable utilities to take major steps towards protecting themselves from attacks in cyber space.
About the Author
Joseph Weiss is an Executive Consultant at KEMA, an independent company founded in 1927 with an international reputation for highlevel technical consultancy, testing, inspections and certification for businesses in the energy industry. KEMA US headquarters is in Fairfax, Virginia.
He is chairman of the IEEE Power Engineering Society’s task force reviewing equipment standards for cyber security. He is also a member of ISA’s process Control Systems Security Committee – SP99, and CIGRE’s Task Force on cyber security. Weiss is located in California and may be jweiss@kemaconsulting.com
Until recently, most utilities and standards organizations had not considered cyber attacks, but their impacts can be potentially devastating in terms of financial and physical damage. An attack in cyber space can take many forms, but the most common involves hackers who gain access to vital operating or business systems through remote access or wireless entry points.
In some cases, the perpetrator may steal or alter critical information relating to the utility’s customer files or the operating indices of equipment. In either situation, the information is proprietary and could be dangerous in the wrong hands. The other type of cyber incursion has even worse consequences. It involves a hacker actually taking control of operating systems and disrupting service to customers or damaging equipment. What makes these attacks more frightening is that they are very difficult to detect, often being blamed on faulty hardware or software.
These and other incursions have taken place in larger number over the past few years although their details have been under-reported in part because there is no methodology for identifying reportable events or a central body within the utility industry to investigate such problems. The underlying issue, however, is vulnerability, and energy utilities have unwittingly left themselves open to cyber attacks by implementing automated control and remote access technologies with numerous entry points and virtually no protection.
This vulnerability is particularly risky now due to the combination of a volatile political situation in the world and a hyper-competitive energy market in a struggling economy. News reports say international terrorists may be targeting our energy infrastructure – a threat not to be ignored. But recent incursions suggest the more immediate threat comes from inside the industry or untended impacts from attacks on the Internet.
The power industry is always competitive, but in today’s difficult economy many security analysts believe heightened competition may drive some individuals to use cyber means to gain information on other utilities’ operations and customer bases. In addition, the down economy has compelled utilities to lay off works and subcontractors, many who have the knowledge to take out frustrations on their former employers in cyberspace. Such disgruntled workers may pose the most significant current threat. Additionally, there is a significant reticence to share vulnerability information or impacts.
For most utilities this threat is new, and they do not know how to protect themselves. To provide some guidance, the IEEE Power Engineering Society (PES) has created a task force to study applicable PES IEEE standards that may contribute to the cyber vulnerability of the power infrastructure.
Once standards that can be impacted by cyber have been identified, IEEE PES will have the appropriate subcommittees look at each one in detail to determine if, and how, the vulnerability may be eliminated. In some cases, new security procedures may be the solution. Others may require the implementation of existing technology, or perhaps the development of entirely new products designed for control system cyber security. Although these and other standards revisions are meant to assist the industry, utilities must take caution to avoid the confusion and false sense of security that will undoubtedly arise as multiple new standards are introduced.
Identifying Vulnerabilities
IEEE and similar organizations worldwide (e.g., ISA- the Instrumentation, Systems, and Automation Society, International Electrotechnical Commission-IEC, International Council on Large Electric Systems- CIGRE, etc) have provided a valuable service to the energy industry worldwide by devising and publishing consensus standards on equipment, training, policy and regulations. Standards in equipment design and operation offer direction for vendors to use in bringing useable and compatible products to market, and provide utilities the specifications required to select and implement the appropriate equipment and procedures. But most of all, these standards ensure that utility equipment is operated and maintained efficiently. This is where the link between standards and cyber vulnerability resides.
In the quest for improved efficiency – the ability to operate less expensively with fewer personnel – utilities in the past decade have enthusiastically embraced automated control such as Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems, and Programmable Logic Controllers with remote access capabilities. Transmission and distribution infrastructure in particular has seen the automation of its operations centers and substations with remote terminal units, intelligent electronic devices and smart meters.
Without question these advanced technologies have enhanced efficiency of utility operations, but they have also provided open entry points for cyber incursions because they are designed – according to standards – for efficiency, not security. In fact, the reason these devices are so efficient is because they are open. They can be operated from almost anywhere and are designed to freely share information with other systems.
The utility industry was historically built with closed systems that were impenetrable by nature, which meant no one in the enterprise had to be concerned with cyber security. Unfortunately, this attitude continued even after open systems were introduced and implemented. And the nonchalance carried over into the development of today’s existing standards for transmission and distribution equipment.
The other factor contributing to the situation is institutional and common to many industries – the chasm between the IT and Operations departments within the utility. IT people are responsible for cyber security and have taken steps to protect their devices. Unfortunately, without an understanding of complex operational systems, IT doesn’t recognize the required reliability and availability of these systems and the impact cyber security mitigation can have on these systems. This aspect of cyber vulnerability is certain to heat up within utilities in the near future as IT personnel begin taking steps they believe will reduce the threat, but with potential negative impact on system operation.
Particularly frightening about the cyber situation is its pervasiveness. A utility is vulnerable if it has automated or integrated key control systems with hardware or software that is web-enabled or accessed by wireless communications. The Internet, an intranet or wireless device is an open door to uninvited entry. A typical automated control system, for example, has a front door through which operations personnel conduct their daily business, a backdoor for used by system administrators, and a side door for vendors. If security exists at all, it can be circumvented by almost any hacker.
Some of the most common and vulnerable entry points into control systems include the following:
- systems linked to a corporate network or intranet,
- remote sensors that feed control, diagnostics, and/or status data back to a central control system,
- telecommunications links to vendors for uploading of software updates,
- integration points between business and operations systems,
- remote access to internal systems, including modems and web links.
Ironically, those utilities that have equipped themselves for better performance through implementation of automated technologies are the ones most at risk. And those without automation now are probably considering it, which means cyber security must be included in their plans. The bottom line is that this issue is relevant to nearly all utilities.
Examining Standards
IEEE has authored hundreds of standards relating to the efficient operation and design of utility equipment. The PES Cyber Security Task Force is focusing on those standards where the vulnerabilities reside – substations, protective relay devices and control centers. These have experienced the lion’s share of automation and integration over the past several years. Standards with no communications or networking requirements are quickly eliminated from further study.
The task force met on July 14, 2003, to begin evaluating standards and requesting the expert assistance of the various IEEE committees responsible for the substation, relay and control center standards. Although the total number of standards that must be altered may not be extensive, the complexity of the situation became immediately apparent to the task force during its initial meeting in January 2002.
As mentioned, many standards were adopted with efficiency in mind. Cyber security was not a consideration. Unfortunately, the reason so many devices, such as SCADA components, operate efficiently is that they have no security. Security measures often reduce efficiency.
Using SCADA as the example, some applications have been created to transmit breaker status data to the control center every 4 milliseconds. While this timing leads to efficient operations, it leaves no extra time for the SCADA to interrogate the data request or examine the authenticity of the data. Essentially, there is no room to build a security measure into the standard operation of the device without negatively impacting its performance. Security comes with a price.
PES will undoubtedly consider many similar trade-offs. It is too early to predict precisely how these revisions will be enacted and at what cost to utilities.
The first changes to standards recommended by IEEE will likely relate to procedures that can be altered to provide a temporary, but by no means fool-proof, enhancement to security. These steps will offer a work-around solution until new technologies with built-in security can be developed, a process that can take years. Procedural solutions can be as simple as routinely changing system access passwords or spelling out exactly who can have access to critical systems and be able to operate remote devices.
The long-term solution for cyber security comes back to technology and corporate culture, which often does not exist for control system infrastructure protection. IT personnel will be quick to suggest building firewalls, but these products are not specifically designed to protect an operations center. Until firewall devices are introduced for control systems, any existing product must be considered a stop-gap measure that offers only partial protection. The same is true for intrusion detection devices, which are currently available but not designed for control system applications.
The new standards ultimately emerging from the IEEE will seek to close entry points and track authorized users through the use of customized firewalls, detection devices and other new technologies. By limiting access to authorized personnel and establishing a pattern of typical use, utilities will more readily prevent cyber intrusions and detect them more quickly when they do occur.
Implementing Standards with Caution
The issue of cyber security is finally beginning to getg the attention it deserves from the power industry, but as a result, utilities can expect multiple new standards in the near future. Therefore, caution must be taken to ensure a utility takes into account all of the standards which apply to it. A case in point is the new NERC cyber security standards (Urgent Standard 1200) published in mid- 2003 and taking effect in first quarter 2004.
To counteract this situation, KEMA Inc., an international utility consulting and technical services firm based in Fairfax, Va., is working with multiple utilities in cooperation with IEEE and other standards organizations to develop security policies specifically designed and adopted for T&D control systems. These independently created policies, coupled with revised IEEE equipment standards, will enable utilities to take major steps towards protecting themselves from attacks in cyber space.
About the Author
Joseph Weiss is an Executive Consultant at KEMA, an independent company founded in 1927 with an international reputation for highlevel technical consultancy, testing, inspections and certification for businesses in the energy industry. KEMA US headquarters is in Fairfax, Virginia.
He is chairman of the IEEE Power Engineering Society’s task force reviewing equipment standards for cyber security. He is also a member of ISA’s process Control Systems Security Committee – SP99, and CIGRE’s Task Force on cyber security. Weiss is located in California and may be jweiss@kemaconsulting.com
